Secure communication between dynamically created Droplets (Tinc VPN)?

July 8, 2016 389 views
Networking Security VPN Scaling Ubuntu


I currently have several Droplets that have a tinc mesh VPN configured and it's working quite well.

However, there is a service that's being developed which only runs once a month and the intention will be to use the DigitalOcean API to dynamically create and destroy worker Droplets as necessary using a preconfigured snapshot.

The problem is that communication between these workers and core servers is unencrypted as tinc isn't very dynamic and IP addresses change when droplets are created and destroyed.

Does anyone know of a way of extending tinc to make it a little more dynamic so that it can allow communication with these worker droplets?

I can have the workers run a script at the start to configure tinc on their end with the correct addresses, but it's making sure communication is allowed to/from the other servers that seems to be the sticking point.

Maybe there's a way to dynamically use an internal DNS service?


2 Answers

Look through this mailing list thread, a possible solution is in there.


This may be a prime candidate situation for using a Floating IP which would allow you to have a static IP of sorts that could be assigned to and from servers on-demand.

So let's say you create a worker, assign a Floating IP to it, it does what it needs, and then you destroy it. The Floating IP is still "leased" by your account and can be used by another, so the next worker in queue can take on that Floating IP and so on and so forth.

Under Networking within the DigitalOcean Control Panel, the second box will allow you to assign new Floating IP's or reassign them to other Droplets. Of course, for automation, using the API would be the best solution. You can check out the docs for Floating IP's below:

Have another answer? Share your knowledge.